"port flood" treated as "port scan" resulting in blocks

Post Reply
Domineaux
Junior Member
Posts: 18
Joined: 19 Sep 2007, 23:42
Location: Houston, TX USA (Earth)
Contact:

"port flood" treated as "port scan" resulting in blocks

Post by Domineaux »

I have found that it a users IP gets throttled by the PORTFLOOD limit, it is logged as *Port Flood* but LFD seeing 11 of them (one more than the defined PS_LIMIT of 10) will result in LFD adding a temporary deny against the IP for "*Port Scan* detected".
ForumAdmin
Moderator
Posts: 1517
Joined: 01 Oct 2008, 09:24

Re: "port flood" treated as "port scan" resulting in blocks

Post by ForumAdmin »

That is the intended functionality. If you do not want to block particular ports remove them from the PS_PORTS list.
Domineaux
Junior Member
Posts: 18
Joined: 19 Sep 2007, 23:42
Location: Houston, TX USA (Earth)
Contact:

Re: "port flood" treated as "port scan" resulting in blocks

Post by Domineaux »

Thank you for the work around but are you sure that this is really the intended functionality instead of a byproduct of the way the logs are searched? Seems like the "Port Flood" log entries were a good idea so we could tell if someone was getting throttled but the "Port Scan" function is just checking for any blocked packet logs and indiscriminately judged them as a port scan for a temporary deny.
Post Reply